Impact
Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code.
Patches
This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2.
Workaround
Limit access to the configuration to yourself or users you can trust.
Who Is Affected
- Check the configured module paths in the general configuration for suspicious entries.
- Check the file
/etc/icingaweb2/resources.ini (The path may vary, depending on your configuration) and look for sections with the option type set to ssh. If all other options of such a section look normal, you're not affected.
References
Further technical details will be disclosed on https://blog.sonarsource.com/tag/security after some time.
For more information
If you have any questions or comments about this advisory, you can contact:
- The original reporters, by sending an email to vulnerability.research [at] sonarsource.com;
- The maintainers, by asking for assistance on the forums
thomas-chauchefoin-sonarsource Analyst
Impact
Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code.
Patches
This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2.
Workaround
Limit access to the configuration to yourself or users you can trust.
Who Is Affected
/etc/icingaweb2/resources.ini(The path may vary, depending on your configuration) and look for sections with the optiontypeset tossh. If all other options of such a section look normal, you're not affected.References
Further technical details will be disclosed on https://blog.sonarsource.com/tag/security after some time.
For more information
If you have any questions or comments about this advisory, you can contact: